evaluate: validate maximum log statement prefix length

commit 6ceec21204e0260af2d50e9e987d0fe3c79c28d4 upstream.

Otherwise too long string overruns the log prefix buffer.

Fixes: e76bb3794018 ("src: allow for variables in the log prefix string")
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1714
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/src/evaluate.c b/src/evaluate.c
index c183832bb72313c8fef88d6e2f6d955a8375717c..fd7354e99cb35d2a51d6ccd0924a38c65c85afa5 100644 (file)
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -3946,8 +3946,13 @@ static int stmt_evaluate_log_prefix(struct eval_ctx *ctx, struct stmt *stmt)
        struct expr *expr;
        size_t size = 0;
 
-       if (stmt->log.prefix->etype != EXPR_LIST)
+       if (stmt->log.prefix->etype != EXPR_LIST) {
+               if (stmt->log.prefix &&
+                   div_round_up(stmt->log.prefix->len, BITS_PER_BYTE) >= NF_LOG_PREFIXLEN)
+                       return expr_error(ctx->msgs, stmt->log.prefix, "log prefix is too long");
+
                return 0;
+       }
 
        list_for_each_entry(expr, &stmt->log.prefix->expressions, list) {
                switch (expr->etype) {